1/14

Finch4

Malware-Analysis-Reports/MountLocker at master ·
Finch4/Malware-Analysis-Reports · GitHub

github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker

Analysis of MountLocker

MountLocker is a Ransomware which appeared first on July 2020, in the
sample there are references to a Public RSA Key and ChaCha20. Lately
seems an update added also a worm feature.

Please note, I'm still learning, the analysis is incomplete (and some parts
may be wrong), if you want to read a full analysis read here

Sample

MalwareBazaar:
https://bazaar.abuse.ch/sample/4a5ac3c6f8383cc33c795804ba5f7f5553c029b
bb4a6d28f1e4d8fb5107902c1/

Starting from the start

https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker
https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/
https://bazaar.abuse.ch/sample/4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1/


2/14

Here is simply passing the the command-line string for the current process to
the function I renamed, mw_main  Inside mw_main  we find two other calls to
mw_check_parameters  and mw_core

Diving into mw_check_parameters

https://user-images.githubusercontent.com/52568048/118721093-b503e280-b82a-11eb-8ffb-f386ee3a4f32.png
https://user-images.githubusercontent.com/52568048/118688494-65132480-b806-11eb-8cbb-e6a96e3cad64.png
https://user-images.githubusercontent.com/52568048/118688922-ca671580-b806-11eb-95a7-d734aca02865.png


3/14

The function starts parsing the arguments, the result is then allocated to the
variable command_line_args , if retrieving the arguments is successful the
sample will continue otherwise as you can imagine it will return and the if at
mw_main  will never be True and the sample will exit.

When entering the if the most interesting functions seems the one which
receive as arguments: command_line_args, pNumArgs, {CUSTOM_STRING}, I
renamed this function mw_check_if_contains

mw_check_if_contains

starting from the first two calls to this functions we can see the strings
"/LOGIN="  and "/PASSWORD="  stored inside what seems an array, later you

will se that these arguments are used as part of the worm feature, "/LOGIN="
will contains the lpUserName  and as you can image "/PASSWORD="  will
contains lpPassword  the others are more features/options of MountLocker,
here a list:

commands =  
[ 
 "/LOGIN=", 
 "/PASSWORD=", 
 "/CONSOLE", 
 "/NODEL", 
 "/NOKILL", 
 "/NOLOG", 
 "/SHAREALL", 
 "/NETWORK", 
 "/PARAMS=", 
 "/TARGET=", 
 "/FAST=", 
 "/MIN=", 
 "/MAX=", 
 "/FULLPD", 
 "/MARKER=", 
 "/NOLOCK=" 
] 

https://user-images.githubusercontent.com/52568048/118690078-fa62e880-b807-11eb-8947-428adde7b580.png


4/14

Diving into mw_core

The first two calls are for COM objects, since still I'm learning I didn't
really understood how you use them, so for the moment I will ignore the
calls related to it.

The first call is easy understandable, is retrieving the admin status of the
current user, InitializeCriticalSection acts as Mutex for threads.

dword_1400137EC  is assigned in mw_check_parameters  and its value is 0,
so a !0 will return True, now we have two calls to lstrcpyW ,
&ExistingFileName  is assigned in mw_check_parameters

mw_check_parameters

Here is checking if the file for the logs has been created, if yes set
isLogFeatureEnabled  to True, same if the command "/CONSOLE"  is

passed

https://user-images.githubusercontent.com/52568048/118697053-32b9f500-b80f-11eb-9be4-b55d7b6641c9.png
https://user-images.githubusercontent.com/52568048/118696038-26816800-b80e-11eb-8864-c21f7f673bbe.png
https://user-images.githubusercontent.com/52568048/118793890-54f85500-b899-11eb-8c8b-b0a0e3d401ca.png


5/14

inside mw_console_log  isLogFeatureEnabled  is checked if is True, if yes,
call another function which will check if to write to file or console, or both

mw_console_log

sub_140007454

mw_collect_sys_informations

Now the function mw_init_crypto  will be called, I renamed this function like
that, because seems importing the RSA Key

mw_init_crypto

https://user-images.githubusercontent.com/52568048/118794370-ce904300-b899-11eb-8687-a289171206fb.png
https://user-images.githubusercontent.com/52568048/118794563-fc758780-b899-11eb-86a4-705a7830bcb5.png
https://user-images.githubusercontent.com/52568048/118699735-2aaf8480-b812-11eb-8a82-000ba39f6066.png
https://user-images.githubusercontent.com/52568048/118701579-27b59380-b814-11eb-99ee-04d3f540a3f4.png


6/14

Here is the RSA Key:

The CryptEncrypt  call seems encrypting the buffer &Src  with RSA, curios
is the fact that &Src  is used in another function which I renamed
mw_wrap_chacha  because is a wrapper to a function which uses ChaCha

an help to recognize the ChaCha function is given to CAPA a fantastic tool
developed by the FireEye Team

06 02 00 00 00 A4 00 00  52 53 41 31 00 08 00 00 
01 00 01 00 89 9C 9E 71  D9 2B E9 50 B1 75 DA 27 
07 AA 43 6D FD D7 EA 21  29 7E 8F 07 03 A7 77 57 
E4 7F F2 3D 8F 7C CE 25  51 A9 06 37 79 34 54 C2 
D3 6A 18 65 7F 60 21 13  D0 81 A1 46 AE D3 33 44 
17 21 98 BC 09 62 06 F5  5D 49 D9 37 7D 1E 06 9B 
99 48 2B 7C 75 0B DA DB  C4 B6 E3 63 10 E0 FB C6 
FF C8 61 B5 B1 CC D9 F4  8E B9 B7 EE D3 1C EA 1C 
6B E7 99 95 07 34 F5 C0  FC C3 F0 CB 1A 37 86 F8 
D6 61 4D 37 73 BA 9C A7  1A 9D DF 87 B6 B3 76 CD 
85 8E A5 DD E8 E4 BB 42  FB 46 1E D6 E6 9E 89 52 
5D F8 B2 06 B9 6F 05 1D  5C 5A C4 D9 C3 89 05 98 
AD 95 7E FB 46 38 C0 F3  C3 3B 8D 8A 52 DB BD 42 
C9 0C E4 87 E9 8D 42 B0  C0 48 7A 7E 62 27 AE 87 
C8 00 44 89 E8 78 41 AC  79 EB DC 42 D1 97 9D 75 
9E 0D EE 43 33 05 61 F3  5D 65 5C 42 95 69 E8 E5 
34 3B 99 30 B7 CB E6 8F  85 F5 BB E8 33 A7 05 5A 
B6 A0 BE F1 A0 D8 38 F6  38 37 39 35 33 38 65 32 
30 62 38 32 65 38 30 30  35 32 64 64 35 66 37 65 
66 39 61 64 35 30 37 37 

https://user-images.githubusercontent.com/52568048/118703042-f1791380-b815-11eb-92e8-b31241a335c4.png
https://user-images.githubusercontent.com/52568048/118703479-6d735b80-b816-11eb-8fe4-5cac4dd97bca.png
https://github.com/fireeye/capa
https://www.fireeye.com/


7/14

and also if you look carefully to the strings

next we can see some instructions that have something to do with the
command "/NETWORK"  if you pass this argument and the executable isn't
started as administrator, the function will return

if the "/NETWORK"  command isn't passed, we proceed

here we check if the command "/NOKILL"  has been passed, if yes we
proceed to calling mw_killservices  and mw_kill_processes , from the
names you can easily understand what it's doing, these are two lists of which
services and processes will terminate

If the service name contains those strings, close the service

https://user-images.githubusercontent.com/52568048/118704188-246fd700-b817-11eb-82e1-f329cd39a12a.png
https://user-images.githubusercontent.com/52568048/118704682-aeb83b00-b817-11eb-8230-e257879bcf32.png
https://user-images.githubusercontent.com/52568048/118705712-d9ef5a00-b818-11eb-8de6-561edd59c2b1.png


8/14

These are the processes

services_to_close =  
[ 
 "SQL", 
 "database", 
 "msexchange", 
] 

https://user-images.githubusercontent.com/52568048/118706305-80d3f600-b819-11eb-95af-df17843f7056.png


9/14

after killing the processes and the services, the sample checks for the
command "/TARGET="

processes_to_kill =  
[ 
"msftesql.exe", 
"sqlagent.exe", 
"sqlbrowser.exe", 
"sqlwriter.exe", 
"oracle.exe", 
"ocssd.exe", 
"dbsnmp.exe", 
"synctime.exe", 
"agntsvc.exe", 
"isqlplussvc.exe", 
"xfssvccon.exe", 
"sqlservr.exe", 
"mydesktopservice.exe", 
"ocautoupds.exe", 
"encsvc.exe", 
"firefoxconfig.exe", 
"tbirdconfig.exe", 
"mydesktopqos.exe", 
"ocomm.exe", 
"mysqld.exe", 
"mysqld-nt.exe", 
"mysqld-opt.exe", 
"dbeng50.exe", 
"sqbcoreservice.exe", 
"excel.exe", 
"infopath.exe", 
"msaccess.exe", 
"mspub.exe", 
"onenote.exe", 
"outlook.exe", 
"powerpnt.exe", 
"sqlservr.exe", 
"thebat.exe", 
"steam.exe", 
"thebat64.exe", 
"thunderbird.exe", 
"visio.exe", 
"winword.exe", 
"wordpad.exe", 
"QBW32.exe", 
"QBW64.exe", 
"ipython.exe", 
"wpython.exe", 
"python.exe", 
"dumpcap.exe", 
"procmon.exe", 
"procmon64.exe", 
"procexp.exe", 
"procexp64.exe" 
] 



10/14

seems to be a command to target specific files, specific drive, specific server

meanwhile this is the default lock

mw_wrap_stats_log

https://user-images.githubusercontent.com/52568048/118710028-0c4f8600-b81e-11eb-85e8-361b77398167.png
https://user-images.githubusercontent.com/52568048/118710594-cba43c80-b81e-11eb-9b26-dccb714fcd64.png
https://user-images.githubusercontent.com/52568048/118711105-787eb980-b81f-11eb-9b20-91fc72b5ab94.png
https://user-images.githubusercontent.com/52568048/118711428-e0cd9b00-b81f-11eb-95ee-af0ad9baef95.png


11/14

Overview of the worm feature

Seems the worm feature is divided in two categories:

Enum PC into domain
Enum PC into network

Both share the need of

"/LOGIN="  and "/PASSWORD="

After getting access to the computer it will drop the same executable passing
the command "/NOLOG" , you can see also other if statements checking if the
servername  contains certain strings

https://user-images.githubusercontent.com/52568048/118711603-11add000-b820-11eb-8e0b-7ccd469d41a1.png
https://user-images.githubusercontent.com/52568048/118712349-fd1e0780-b820-11eb-9ad5-d79ece93742c.png
https://user-images.githubusercontent.com/52568048/118715060-774f8b80-b823-11eb-9762-c4d72387ed1b.png


12/14

After a service called "Update{GetTickCount()}"  will be created

with lpBinaryPathName  equal to the path where the sample has been
dropped

also it seems to create a process with WMI

ROOT\CIMV2

https://user-images.githubusercontent.com/52568048/118715509-f93fb480-b823-11eb-93a5-8d6e93036123.png
https://user-images.githubusercontent.com/52568048/118716341-00b38d80-b825-11eb-87e5-22039b05fe5a.png
https://user-images.githubusercontent.com/52568048/118717050-d44c4100-b825-11eb-8753-da602792218c.png
https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-and-wmi#constructing-the-uri-prefix-for-wmi-classes
https://user-images.githubusercontent.com/52568048/118717197-09589380-b826-11eb-87da-c9c9c0050e6b.png


13/14

Create - Win32

The function mw_create_worm_service  will return GetLastError()

if the return value != 1326 ERROR_LOGON_FAILURE  "The user name or
password is incorrect."  https://docs.microsoft.com/en-
us/windows/win32/debug/system-error-codes--1300-1699-

it will switch the return value and then write it in the logs

Same for creating a process with the WMI

https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/create-method-in-class-win32-process
https://user-images.githubusercontent.com/52568048/118718454-8afcf100-b827-11eb-940a-049c548e49cf.png
https://docs.microsoft.com/en-us/windows/win32/debug/system-error-codes--1300-1699-
https://user-images.githubusercontent.com/52568048/118719068-49207a80-b828-11eb-9e0e-307922f0dbd4.png


14/14

Conclusion

I spent some time for this analysis, I hope it is correct and useful, please if you
notice some errors in the analysis let me know, I want to improve myself. Seen
this is my best analysis right now I would like to add some informations about
myself; I'm Italian and I'm 17 years old, I would like to get a job as Malware
Analyst when I will turn 18, for more information this is my secondary email:
blacXkdog1X7of@XgmaiXl.com (remove all "X")

Thank you for reading my analysis!

Feedbacks

Thanks to:

https://twitter.com/cPeterr [https://chuongdong.com/]

Useful resources

https://user-images.githubusercontent.com/52568048/118719306-9ef52280-b828-11eb-910a-ea93e140e789.png
http://10.10.0.46/mailto:blacXkdog1X7of@XgmaiXl.com
https://twitter.com/cPeterr
https://chuongdong.com/